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Abstract 


This document describes new Elliptic Curve Cryptography (ECC) groups 
for use in the Internet Key Exchange (IKE) and Internet Key Exchange 
version 2 (IKEv2) protocols in addition to previously defined groups. 
Specifically, the new curve groups are based on modular arithmetic 
rather than binary arithmetic. These new groups are defined to align 
IKE and IKEv2 with other ECC implementations and standards, 
particularly NIST standards. In addition, the curves defined here 
can provide more efficient implementation than previously defined ECC 
groups. 
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Les 


Introduction 


This document describes default Diffie-Hellman groups for use in IKE 
and IKEv2 in addition to the Oakley groups included in [IKE] and the 
additional groups defined since [IANA-IKE]. This document assumes 
that the reader is familiar with the IKE protocol and the concept of 
Oakley Groups, as defined in RFC 2409 [IKE]. 


RFC 2409 [IKE] defines five standard Oakley Groups: three modular 
exponentiation groups and two elliptic curve groups over GF[2‘N]. 
One modular exponentiation group (768 bits - Oakley Group 1) is 
mandatory for all implementations to support, while the other four 
are optional. Thirteen additional groups subsequently have been 
defined and assigned values by IANA. All of these additional groups 
are optional. Of the eighteen groups defined so far, eight are MODP 
groups (exponentiation groups modulo a prime), and ten are EC2N 
groups (elliptic curve groups over GF[2*N]). See [RFC3526] for more 
information on MODP groups. 


The purpose of this document is to expand the options available to 
implementers of elliptic curve groups by adding three ECP groups 
(elliptic curve groups modulo a prime). The reasons for adding such 
groups include the following. 


- The groups proposed afford efficiency advantages in software 
applications since the underlying arithmetic is integer arithmetic 
modulo a prime rather than binary field arithmetic. (Additional 
computational advantages for these groups are presented in [GMN].) 


- The groups proposed encourage alignment with other elliptic curve 


standards. The proposed groups are among those standardized by 
NIST, the Standards for Efficient Cryptography Group (SECG), ISO, 
and ANSI. (See Section 5 for details.) 


- The groups proposed are capable of providing security consistent 
with the new Advanced Encryption Standard. 


These groups could also be defined using the New Group Mode, but 
including them in this RFC will encourage interoperability of IKE 
implementations based upon elliptic curve groups. In addition, the 
availability of standardized groups will result in optimizations for 
a particular curve and field size and allow precomputation that could 
result in faster implementations. 


In summary, due to the performance advantages of elliptic curve 
groups in IKE implementations and the need for further alignment with 
other standards, this document defines three elliptic curve groups 
based on modular arithmetic. 
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2. Requirements Terminology 


The keywords "MUST" and "SHOULD" that appear in this document are to 
be interpreted as described in [RFC2119]. 


3. Additional ECC Groups 


The notation adopted in RFC 2409 [IKE] is used below to describe the 
new groups proposed. 


3.1. 256-bit Random ECP Group 
IKE and IKEv2 implementations SHOULD support an ECP group with the 
following characteristics. The curve is based on the integers modulo 
the generalized Mersenne prime p given by 
p = 2%(256)-2% (224) +2% (192) +2% (96) -1 
The equation for the elliptic curve is: 
y°2 = x*3 - 3 x +b 


Field Size: 
256 


Group Prime/Irreducible Polynomial: 
FFFFFFFF 00000001 00000000 00000000 00000000 FFFFFFFF FFFFFFFF FFFFFFFF 


Group Curve b: 
5AC635D8 AA3A93E7 B3EBBD55 769886BC 651D06B0 CC53BOF6 3BCE3C3E 27D2604B 


Group Order: 
FFFFFFFF 00000000 FFFFFFFF FFFFFFFF BCE6FAAD A7179E84 F3B9CAC2 FC632551 


The group was chosen verifiably at random using SHA-1 as specified in 
[IEEE-1363] from the seed: 


C49D3608 86E70493 6A6678E1 139D26B7 819F7E90 
The generator for this group is given by g=(gx,gy) where 


gx: 
6B17D1F2 E12C4247 F8BCE6E5 63A440F2 77037D81 2DEB33A0 F4A13945 D898C296 


gy: 
4FE342E2 FEIA7F9B 8EE7EB4A 7COF9E16 2BCE3357 6B315ECE CBB64068 37BF51F5 
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3.2. 384-bit Random ECP Group 
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IKE and IKEv2 implementations SHOULD support an ECP group with the 


following characteristics. 


The curve is based on the integers modulo 


the generalized Mersenne prime p given by 


The equation for the elliptic curve is: 


Field Size: 
384 


P 


= 2% (384) -2% (128) -2% (96) +2% (32) -1 


y^2 = x*3 - 3 x +b 


Group Prime/Irreducible Polynomial: 
FRFFFFFE FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE 


FFFFFFFF FFFFFFFF 
FFFFFFFF 00000000 


Group Curve b: 
B3312FA7 E23EE7E4 


00000000 FFFFFFFF 


C656398D 8A2ED19D 


Group Order: 
FFFFFFFF FFFFFFFF 
581A0DB2 48B0A77A 


988E056B E3F82D19 181D9C6E FE814112 0314088F 5013875A 


2A85C8ED D3EC2AEF 


FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF C7634D81 F4372DDF 


ECEC196A CCC52973 


The group was chosen verifiably at random using SHA-1 as specified in 
[IEEE-1363] from the seed: 


A335926A A319A27A 1D00896A 6773A482 7ACDAC73 


The generator for this group is given by g=(gx,gy) where 


gx: 
AA87CA22 BE8B0537 
5502F25D BF55296C 


gy: 
3617DE4A 96262C6F 
OA60B1CE 1D7E819D 
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8EB1C71E F320AD74 6E1D3B62 8BA79B98 59F741E0 82542A38 


3A545E38 72760AB7 


5D9E98BF 9292DC29 F8F41DBD 289A147C E9DA3113 B5FOB8CO 


7A431D7C Q9OEAOESF 
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3.3. 521-bit Random ECP Group 


ECP Groups for IKE and IKEv2 


January 2007 


IKE and IKEv2 implementations SHOULD support an ECP group with the 


following characteristics. 
the Mersenne prime p given by 


p = 2%(521)-1 


The equation for the elliptic curv 
y^2 = x*3 - 3 x +b 


Field Size: 
521 


Group Prime/Irreducible Polynomial: 
O1LFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 
FFFF 


Group Curve b: 
0051953E B9618E1C 
09E15619 3951EC7E 
3F00 


9A1F929A 21A0B685 
937B1652 COBD3BB1 


Group Order: 
O1LFFFFFF FFFFFFFF 
FFFA5186 8783BF2F 
6409 


FFFFFFFF FFFFFFFF 
966B7FCC 0148F709 


e is: 


FFFFFFFF 
FFFFFFFF 


40EEA2DA 
BF073573 


FFFFFFFF 
A5D03BB5 


FFFFFFFF 
FFFFFFFF 


725B99B3 
DF883D2C 


FFFFFFFF 
C9B8899C 


FFFFFFFF 
FFFFFFFF 


15F3B8B4 
34F1EF45 


FFFFFFFF 
47AEBB6F 


The curve is based on the integers modulo 


FFFFFFFF 
FFFFFFFF 


89918EF1 
1FD46B50 


FFFFFFFF 
B71E9138 


The group was chosen verifiably at random using SHA-1 as specified in 


[IEEE-1363] from the seed: 


DO9E8800 291CB853 96CC6717 393284AA AODA64BA 


The generator for this group is given by g=(gx,gy) 


gx: 
00C6858E 
3DBAA14B 
BD66 


gy: 
01183929 
662C97EE 
6650 
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ional 


where 


06B70404 E9CD9E3E CB662395 B4429C64 8139053F B521F828 
SET7EFE7 5928FE1D C127A2FF A8DE3348 B3C1856A 429BF97E 


6A789A3B COO045C8A 5SFB42C7D 1BD998F5 4449579B 446817AF 
72995EF4 2640C550 B9013FAD 0761353C 7086A272 C24088BE 


AF606B4D 
7E31C2E5 


BD17273E 
94769FD1 
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4. 


Security Considerations 


Since this document proposes new groups for use within IKE and IKEv2, 
many of the security considerations contained within [IKE] and 
[IKEv2] apply here as well. 


The groups proposed in this document correspond to the symmetric key 
sizes 128 bits, 192 bits, and 256 bits. This allows the IKE key 
exchange to offer security comparable with the AES algorithms [AES]. 
Alignment with Other Standards 


The following table summarizes the appearance of these three elliptic 
curve groups in other standards. 


256-bit 384-bit 521-bit 

Random Random Random 
Standard ECP Group ECP Group ECP Group 
NIST [DSS] P-256 P-384 P-521 


ISO/IEC [ISO-15946-1] P-256 


ISO/IEC [ISO-18031] P-256 P-384 P-521 
ANSI [X9.62-1998] Sect). 0.94.37 
Example 1 
ANSI [X9.62-2005] Sect. L.6.4.3 Sect. L.6.5.2 Sect. L.6.6.2 
ANSI [X9.63] Sect. J.5.4, Sect. 3.525 Sect. J.5.6 
Example 2 
SECG [SEC2] secp256rl1 secp384rl1 secp521r1 


See also [NIST], [1S0-14888-3], [ISO-15946-2], [ISO-15946-3], and 
[ISO-15946-4]. 


IANA Considerations 


IANA has updated its registries of Diffie-Hellman groups for IKE in 
[IANA-IKE] and for IKEv2 in [IANA-IKEv2] to include the groups 
defined above. 


In [IANA-IKE], the groups appear as new entries in the list of 
Diffie-Hellman groups given by Group Description (attribute class 4). 
The descriptions are "256-bit random ECP group", "384-bit random ECP 
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group", and "521-bit random ECP group". In each case, the group type 
(attribute class 5) has the value 2 (ECP, elliptic curve group over 
GF[P]). 


In [IANA-IKEv2], the groups appear as new entries in the list of 
IKEv2 transform type values for Transform Type 4 (Diffie-Hellman 
groups). 


7. ECP Key Exchange Data Formats 


In an ECP key exchange, the Diffie-Hellman public value passed in a 
KE payload consists of two components, x and y, corresponding to the 
coordinates of an elliptic curve point. Each component MUST have bit 
length as given in the following table. 


Diffie-Hellman group component bit length 
256-bit Random ECP Group 256 
384-bit Random ECP Group 384 
521-bit Random ECP Group 528 


This length is enforced, if necessary, by prepending the value with 
zeros. 


The Diffie-Hellman public value is obtained by concatenating the x 
and y values. 


The format of the Diffie-Hellman shared secret value is the same as 
that of the Diffie-Hellman public value. 


8. Test Vectors 


The following are examples of the IKEv2 key exchange payload for each 
of the three groups specified in this document. 


We denote by g^n the scalar multiple of the point g by the integer n; 
it is another point on the curve. In the literature, the scalar 
multiple is typically denoted ng; the notation g*n is used in order 
to conform to the notation used in [IKE] and [IKEv2]. 
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8.1. 256-bit Random ECP Group 


January 2007 


IANA assigned the ID value 19 to this Diffie-Hellman group. 


We suppose that the initiator’s Diffie-Hellman private key is 


T 
C88FO1F5 10D9AC3F 


Then the public 


gix: 
DADOB653 94221CF9 


giy: 
5271A046 1CDB8252 


The KEi payload 
00000048 00130000 
945D0C37 72581180 
389E0577 B8990BB3 


We suppose that 


fies 
C6EF9C5D 78AE012A 


Then the public 


gX: 
D12DFB52 89C8D4F8 


gry: 
56FBF3CA 366CC23E 


The KEr payload 
00000048 00130000 


736FC755 4494BF63 
53E74F33 039872AB 
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70A292DA A2316DE5 44E9AAB8 AFE84049 


key is given by g^i=(gix,giy) where 


BO51E1FE CA5787D0 98DFE637 FC90B9EF 


D61F1C45 6FA3E59A B1F45B33 ACCF5F58 
is as follows. 

DADOB653 94221CF9 BO51E1FE CA5787D0 
52714046 1CDB8252 D61F1C45 6FA3E59A 


the response Diffie-Hellman private 


011164AC B397CE20 88685D8F O6BF9BEO 


key is given by g^r=(grx,gry) where 


1208B702 70398C34 2296970A OBCCB74C 


8157854C 13C58D6A AC23F046 ADA30F83 
is as follows. 


D12DFB52 89C8D4F8 1208B702 70398C34 
56FBF3CA 366CC23E 8157854C 13C58D6A 


Informational 


C62A9C57 862D1433 


945D0C37 72581180 


389E0577 B8990BB3 


98DFE637 FC90B9EF 
B1F45B33 ACCFSF58 


key is 


B283AB46 476BEE53 


736FC755 4494BF63 


53E74F33 039872AB 


2296970A OBCCB74C 
AC23F046 ADA30F83 
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The shared secret value g*ir=(girx,giry) where 


girx: 
D6840F6B 42F6EDAF D13116E0 E£1256520 2FEF8E9E CE7DCE03 812464D0 4B9442DE 


giry: 
522BDEOA FOD8585B 8DEF9C18 3B5AE38F 50235206 A8674ECB 5D98EDB2 0EB153A2 


These are concatenated to form 
GOL: 


D6840F6B 42F6EDAF D13116E0 E1256520 2FEF8E9E CE7DCE03 812464D0 4B9442DE 
522BDEOA FOD8585B 8DEF9C18 3B5AE38F 50235206 A8674ECB 5SD98EDB2 OEB153A2 


This is the value that is used in the formation of SKEYSEED. 
8.2. 384-bit Random ECP Group 

IANA assigned the ID value 20 to this Diffie-Hellman group. 

We suppose that the initiator’s Diffie-Hellman private key is 
a 
O099F3C70 34D4A2C6 99884D73 A375A67F 7624EF7C 6B3COF16 0647B674 14DCE655 
E35B5380 41E649EE 3FAEF896 783AB194 

Then the public key is given by g*i=(gix,giy) where 
gix: 


667842D7 D180AC2C DE6F74F3 7551F557 55C7645C 20EF73E3 1634FE72 B4C55EE6 
DE3AC808 ACB4BDB4 C88732AE E95F41AA 


giy: 
9482ED1F COEEB9CA FC498462 5CCFC23F 65032149 EOE144AD A0241815 35A0F38E 
EBOFCFF3 C2C947DA E69B4C63 4573A81C 


The KEi payload is as follows. 


00000068 00140000 667842D7 D180AC2C DE6F74F3 7551F557 55C7645C 20EF73E3 
1634FE72 B4C55EE6 DE3AC808 ACB4BDB4 C88732AE E95F41AA 9482ED1F COEEB9SCA 
FC498462 5CCFC23F 65032149 EOE144AD AO0241815 35A0F38E EB9FCFF3 C2C947DA 
E69B4C63 4573A81C 


We suppose that the response Diffie-Hellman private key is 


hai 
41CB0779 B4BDB85D 47846725 FBEC3C94 30FAB46C C8DC5060 855CC9BD A0AA2942 
E0308312 916B8ED2 960E4BD5 5A7448FC 
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Then the public key is given by g^ 


grx: 
E558DBEF 53EECDE3 D3FCCFC1 AEA08A89 
OD1AC43A 0336DEF9 6FDA41D0 774A3571 


gry: 
DCFBEC7A ACF31964 72169E83 8430367F 
F83FA401 42209DFF SEAAD96D B9E6386C 


The KEr payload is as follows. 


00000068 00140000 ES558DBEF 53EECDE3 
83CFA417 32BC509D OD1AC43A 0336DEF9 
72169E83 8430367F 66EEBE3C 6E70C416 
5EAAD96D B9E6386C 
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r=(grx,gry) where 


A987475D 12FD950D 83CFA417 


66EEBE3C 6E70C416 DD5SFOC68 


D3FCCFC1 AEAO8A89 A987475D 
6FDA41D0 774A3571 DCFBEC7A 
DD5FOC68 759DD1FF F83FA401 


The shared secret value g*ir=(girx,giry) where 


girx: 
11187331 C279962D 93D60424 3FD592CB 
D6031355 69B9E9D0 9YCF5D4A2 70F59746 


giry: 
A2A9F38E FSCAFBE2 347CF7EC 24BDD5E6 
C983135D 4669F879 2F2C1D55 718AFBB4 


These are concatenated to form 
GC aS 
11187331 C279962D 93D60424 3FD592CB 
D6031355 69B9E9DO 9YCF5D4A2 70F59746 
24BC93BF A82771F4 ODIB65D0 6256A852 


This is the value that is used in 


8.3. 521-bit Random ECP Group 


9D0A926F 422EF4718 7521287E 


24BC93BF A82771F4 OD1B65D0 


9D0A926F 42264718 7521287E 
A2A9F38E F5CAFBE2 347CF7EC 
C983135D 4669F879 2F2C1D55 


the formation of SKEYSEED. 


IANA assigned the ID value 21 to this Diffie-Hellman group. 


We suppose that the initiator’s Diffie-Hellman private key is 


i 


32BC509D 


759DD1FF 


12FD950D 
ACF31964 
42209DFF 


7156C5C4 


6256A852 


7156C5C4 
24BDD5E6 
718AFBB4 


OO37ADE9 319A89F4 DABDB3EF 411AACCC A5123C61 ACAB57B5 393DCE47 608172A0 


95AA85A3 OFE1C295 2C6771D9 37BA9777 F5957B26 39BABO72 462F68C2 7A57382D 


4A52 
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Then the public 


gix: 
0015417E 84DBF28C 
E1E3BF42 EOOB8E38 
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key is given by g*i=(gix,giy) where 


OAD3C278 
OAEAE57C 


ED3E 


giy: 
017CAE20 B6641D2E 
D8A78801 5AC405D7 
9582 


The KEi payload 


0000008C 00150000 
D98BAB43 57C9ECBE 
601723C4 195D176C 
1D5A514C 739D7CB4 
07438BF0 1BEB6CA3 


We suppose that 


rs 
0145BA99 A847AF43 
9C677D60 0B343757 
5EB9 


Then the public 


grx: 
00D0B397 5AC4B799 
9B97C356 436ADC6E 
460F 


gry: 
015C6822 6383956E 
220B6536 C5C408A1 
C56A 


The KEr payload 


0000008c 00150000 
728B5E57 39735A21 
ED2B6171 640012D9 
Al10C2C72 4D985207 
32296579 AB44FCD1 
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EB695786 
799DC75E 


713349DC 
2D107564 


D8C94614 
7B7D5B6C 


is as follows. 


0015417E 
ELE3BF42 
ED3E017C 
A10AD8A7 
926F9582 


84DBF28C 
EOOB8E38 


7DF153C8 
94188594 


6239D099 
F2261A6A 


OAD3C278 
OAEAES7C 


AE20B664 
88015AC4 


1D2EEB69 
05D7799D 


97A1891B 
2AF5A7F4 


E18E1D5A 
7F150743 


713349DC 
2D107564 
5786D8C9 
C75E7B7D 


the response Diffie-Hellman private 


793FDDOE 872E7CDF A16BE30F 
A3BDBF2A 3163E4C2 F869CCA7 458AA4A4 


DC780F97 


key is given by g^r=(grx,gry) where 


F5BEA16D 
95BB0352 


3BD066E7 
D2AEBB8E 


5E13E9AF 
F 6BE64A6 


97B623C2 
86D678AE 


is as follows. 


00D0B397 
9B97C356 
460F015C 
7B87220B 
TFOFCS6A 


5AC4B799 
43 6ADC6E 
68226383 
6536C5C4 


971D5E9B 
C2912D4E 


7TCEOEAC2 
49CB5709 


F5BEA16D 
95BB0352 
956E3BD0 
08A1D2AE 
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984C9F39 
F2D0433C 


F551A10C 
1F473229 


5E13E9AF 
F 6BE64A6 
66E797B6 
BB8E8 6D6 


January 2007 


D98BAB43 
601723C4 


514C739D 
8BF01BEB 


7DF153C8 
94188594 
46146239 
5B6CF226 


key is 


BCCC3F07 
EFFC311F 


728B5E57 
ED2B6171 


2C724D98 
6579AB44 


971D5E9B 
C2912D4E 
23C27CEO 
78AE49CB 


57C9ECBE 
195D176C 


7CB4A10A 
6CA3 92 6F 


97A1891B 
2AF5A7F4 
D099E18E 
1A6A7F15 


8380201E 
5CB15168 


39735A21 
640012D9 


52077B87 
FCD17FOF 


984C9F39 
F2D0433C 
EAC2F551 
57091F47 
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et value g*ir=(girx,giry) where 


girx: 
01144C7D 79AE6956 
D1427E73 CA4BAA24 
DDEA 


giry: 
01B901E6 B17DB294 
9FFC3C63 EAOSEDB1 


BC8EDB8E 7C787C45 21CBO86F A64407F9 7894E5E6 B2D79B04 
0A347868 59810C06 B3C715A3 A8CC3151 F2BEE417 996D19F3 


7AC017D8 53EF1C16 74E5CFE5 9CDA18D0 78E05D1B 5242ADAA 
E13CE5B3 A8E50C3E B622E8DA 1B38E0BD D1F88569 D6C99BAF 


FA43 


These are concatenated to form 


g* irs: 

01144C7D 79AER6956 
D1427E73 CA4BAA24 
DDEAO1B9 01E6B17D 
ADAASFFC 3C63EA05 


BC8EDB8E 7C787C45 21CBO86F A64407F9 7894E5E6 B2D79B04 
0A347868 59810C06 B3C715A3 A8CC3151 F2BEE417 996D19F3 
B2947ACO 17D853EF 1C1674E5 CFE59CDA 18D078E0 5D1B5242 
EDB1E13C E5B3A8E5 OC3EB622 E8DA1B38 EOBDDIF8 8569D6C9 


9BAFFA43 


This is the val 
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